One, System: CentOS 6.5 64-bit
Second, the method: Read/var/log/secure, find the keyword Failed, for example (note: The IP address in the article was deliberately omitted):
Sep 09:08:09 localhost sshd[29087]: Failed password for root from 13.7.3.6 Port 44367 ssh2sep + 09:08:20 localhost ssh D[29087]: Failed password for root from 13.7.3.6 Port 44367 ssh2sep + 09:10:02 localhost sshd[29223]: Failed password for Root from 13.7.3.6 ports 56482 ssh2sep 09:10:14 localhost sshd[29223]: Failed password for root from 13.7.3.6 Port 5648 2 SSH2
The IP address is extracted from these lines and is written to/etc/hosts.deny if the number of times reaches 5.
Third, step:
1, the first to always allow the IP to fill in the/etc/hosts.allow, this is very important! Like what:
Sshd:19.16.18.1:allowsshd:19.16.18.2:allow
2. Script/root/sh/secure_ssh.sh
#! /bin/bashcat/var/log/secure|awk '/failed/{print $ (NF-3)} ' |sort|uniq-c|awk ' {print $ "=" $;} ' >/var/log/ Sshlogin.logdefine= "5" For I in ' cat/var/log/sshlogin.log ' do ip= ' echo $i |awk-f ' {print $} ' num= ' echo $i |awk-f ' {PR int $ "If [$NUM-gt $DEFINE];then grep $IP/etc/hosts.deny >/dev/null if [$?-gt 0];then Echo "Sshd: $IP:d eny" >>/etc/hosts.deny fi fidone
3, the secure_ssh.sh script into cron scheduled tasks, every 1 minutes to execute.
# CRONTAB-E*/1 * * * * sh/root/sh/secure_ssh.sh
Four, test:
1, open two terminal windows, one SSH connected to the server, the other with the wrong password to connect the server several times.
Soon, there are already records in the blacklist file on the server:
[[Email protected] ~]# $ cat/var/log/sshlogin.log13.26.21.27=3
And look at the Hosts.deny on the server.
[Email protected] ~]# cat/etc/hosts.denysshd:13.7.3.6:denysshd:92.4.0.4:denysshd:94.10.4.2:denysshd:94.4.1.6: Denysshd:11.64.11.5:deny
2. Continue the "brute force" connection of the server from another terminal window.
Look at the blacklist file on the server:
[Email protected] ~]#/var/log/sshlogin.log13.26.21.27=6
And look at the Hosts.deny on the server.
[Email protected] ~]# cat/etc/hosts.denysshd:13.7.3.6:denysshd:92.4.0.4:denysshd:94.10.4.2:denysshd:94.4.1.6: Denysshd:11.64.11.5:denysshd:13.26.21.27:deny
IP has been added to the server's Hosts.deny, and then connected to the server with the correct password, is denied:
$ SSH [email protected]-p 2333ssh_exchange_identification:connection closed by remote host
This article is from the "it--Brother" blog, please make sure to keep this source http://402753795.blog.51cto.com/10788998/1760377
Prevent brute force SSH remote connection